Adjusting individual detections
While Content Groups provide an easy way to turn a group of detections on or off, sometimes a finer-grained approach is needed. Sophos Linux Sensor (SLS) supports tuning the attributes of individual detection mechanisms to provide granular enable/disable controls, altering the priority of an alert, changing the response action, and more. Here are some common attribute overrides and examples.
Enabling a default-disabled detection
Refer to the List of Detection Categories and their Individual Detections for a list of default-disabled detections. For example, the New File Executed in Container detection is included in the SLS content packages, but is turned off by default. The tracking of the file telemetry that supports this detection can hurt performance for some systems, so you must opt-in to use it.
To turn this detection on, you must add the following lines to /etc/sophos/runtimedetections-rules.yaml:
New File Executed in Container:
enabled: true
These lines override the enabled attribute of the New File Executed in Container detection. Restarting SLS after having applied the above snippet will enable the New File Executed in Container detection.
Setting a detection to have a "kill" response
Warning
You can't revert an automated response. Sophos strongly recommends testing automated responses using dry runs before you turn them on in a production environment. See dry runs.
All detections provided by Sophos alert by default, but most detections support additional response actions. A common use case for SLS is to set certain detections to an "enforcing" mode that will kill any processes that violate the detection rules.
For example, the Kernel Exploit detection is a good candidate for enforcement, as the detection has a very strong degree of certainty (i.e., very low false-positive rate). To turn on the "enforcing" mode for Kernel Exploit and kill offending processes in their tracks, override the responseActions attribute for this detection by placing the following override snippet in the host's configuration file:
Kernel Exploit:
responseActions:
- kill
Restarting SLS with the above configuration will ensure that any processes that violate the Kernel Exploit detection will be killed if the process generating the detection is still present.
Customizable attributes
Note
Not all properties are customizable as modification of some attributes would fundamentally change the nature of a detection. If the attributes in this list are insufficient for configuring detections, custom policies allow you to create customized detections for your environment. See Creating custom detection policies.
| Detection Attribute | Customizable? |
|---|---|
| policy | no |
| enabled | yes |
| alertMessage | yes |
| comments | yes |
| priority | yes |
| responseActions | yes |
| dryRun | yes |
| rules | no |
| alertLabels | yes |
| additionalCategories | yes |
| alertDetail | yes |
| contentGroups | yes |
| List Attribute | Customizable? |
|---|---|
| type | no |
| description | yes |
| list | yes |
Advanced configuration: adjusting allowlists and blocklists
For more information on adjusting allowlists and blocklists, see Advanced Topics: Lists.